Potential Persistence via Time Provider Modification
Identifies modification of the Time Provider. Adversaries may establish persistence by registering and enabling a malicious DLL as a time provider. Windows uses the time provider architecture to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in the System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/01/19"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies modification of the Time Provider. Adversaries may establish persistence by registering and enabling a
13malicious DLL as a time provider. Windows uses the time provider architecture to obtain accurate time stamps from other
14network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in the
15System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll.
16"""
17from = "now-9m"
18index = ["logs-endpoint.events.*", "endgame-*"]
19language = "eql"
20license = "Elastic License v2"
21name = "Potential Persistence via Time Provider Modification"
22references = ["https://pentestlab.blog/2019/10/22/persistence-time-providers/"]
23risk_score = 47
24rule_id = "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204"
25severity = "medium"
26tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
27timestamp_override = "event.ingested"
28type = "eql"
29
30query = '''
31registry where host.os.type == "windows" and event.type:"change" and
32 registry.path: (
33 "HKLM\\SYSTEM\\*ControlSet*\\Services\\W32Time\\TimeProviders\\*",
34 "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\W32Time\\TimeProviders\\*"
35 ) and
36 registry.data.strings:"*.dll"
37'''
38
39
40[[rule.threat]]
41framework = "MITRE ATT&CK"
42[[rule.threat.technique]]
43id = "T1547"
44name = "Boot or Logon Autostart Execution"
45reference = "https://attack.mitre.org/techniques/T1547/"
46[[rule.threat.technique.subtechnique]]
47id = "T1547.003"
48name = "Time Providers"
49reference = "https://attack.mitre.org/techniques/T1547/003/"
50
51
52
53[rule.threat.tactic]
54id = "TA0003"
55name = "Persistence"
56reference = "https://attack.mitre.org/tactics/TA0003/"
References
-
Windows operating systems are utilizing the time provider architecture in order to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented i…
Read More
Related rules
- Adobe Hijack Persistence
- Component Object Model Hijacking
- Creation of a Hidden Local User Account
- Creation or Modification of a new GPO Scheduled Task or Service
- Execution of Persistent Suspicious Program